Unable to create docker container with docker module

[louis gueye]

Hi all,

I've been trying the docker module and I'm facing permission issues.

My use case is the following:

- I installed ansible (ubuntu package 1.7.1), python pip (ubuntu package), docker-py (pip package)

- I created a playbook with a simple task based on the docker module. I want to create my container with ansible and provision it with ansible. I don't want any ansible code to run inside my container.

I get this error:

msg: ConnectionError(MaxRetryError("UnixHTTPConnectionPool(host='localhost', port=None): Max retries exceeded with url: /run/docker.sock/v1.12/containers/json?all=1&limit=-1&trunc_cmd=1&size=0 (Caused by <class 'socket.error'>: [Errno 13] Permission denied)",),)

Intent : create one container on localhost via ansible, (maybe the playbook does not understand it the same way)

Pre-requisites: docker server is already up and running on localhost

I would be very grateful if anyone could explain me what I'm  doing wrong because I must be doing somthing wrong as my script is so trivial.

Thank you for your help.

Regards,

Louis

Below various additional information (console outputs + playbook)

python version

$ python --version

Python 2.7.6

docker version

$ docker --version

Docker version 1.2.0, build fa7b24f

pip list

$ pip list

ansible (1.7.1)

apt-xapian-index (0.45)

argparse (1.2.1)

backports.ssl-match-hostname (3.4.0.2)

chardet (2.0.1)

colorama (0.2.5)

command-not-found (0.3)

debtagshw (0.1)

defer (1.0.6)

dirspec (13.10)

docker-py (0.5.0)

dopy (0.2.3)

html5lib (0.999)

httplib2 (0.8)

Jinja2 (2.7.2)

lxml (3.3.3)

MarkupSafe (0.18)

oauthlib (0.6.1)

oneconf (0.3.7)

PAM (0.4.2)

paramiko (1.10.1)

pexpect (3.1)

Pillow (2.3.0)

pip (1.5.4)

piston-mini-client (0.7.5)

psutil (1.2.1)

pycrypto (2.6.1)

pycups (1.9.66)

pycurl (7.19.3)

pygobject (3.12.0)

pyOpenSSL (0.13)

pyserial (2.6)

pysmbc (1.0.14.1)

python-apt (0.9.3.5)

python-debian (0.1.21-nmu2ubuntu2)

pyxdg (0.25)

PyYAML (3.10)

reportlab (3.0)

requests (2.3.0)

sessioninstaller (0.0.0)

setuptools (3.3)

six (1.5.2)

software-center-aptd-plugins (0.0.0)

Twisted-Core (13.2.0)

Twisted-Web (13.2.0)

urllib3 (1.7.1)

websocket-client (0.18.0)

wsgiref (0.1.2)

zope.interface (4.0.5)

playbook

---

- hosts: localhost

  vars:

  - image: "ubuntu:14.04"

  - host_name: "risk-data"

  tasks:

    - name: "bring up container for {{ host_name }} from {{ image }}"

      docker: hostname="{{ host_name }}" image="{{ image }}" name="{{ host_name }}" expose=22

    - name: "wait for {{ host_name }}'s sshd to come up"

      wait_for: host="{{ host_name }}" port=22 state=started

    - name: "dump facts"

      debug: msg="Container {{ item.key }}"

      with_items: docker_containers

    - name: "add {{ host_name }} to inventory"

      add_host: name="{{ host_name }}" groups=risk ansible_ssh_host="{{ item.NetworkSettings.IPAddress }}" ansible_ssh_port=22

      with_items: docker_containers

playbook command line

$ ansible-playbook playbook.yml

PLAY [localhost] ************************************************************** 

GATHERING FACTS *************************************************************** 

ok: [localhost]

TASK: [bring up container for risk-data from ubuntu:14.04] ******************** 

failed: [localhost] => {"changed": false, "failed": true}

msg: ConnectionError(MaxRetryError("UnixHTTPConnectionPool(host='localhost', port=None): Max retries exceeded with url: /run/docker.sock/v1.12/containers/json?all=1&limit=-1&trunc_cmd=1&size=0 (Caused by <class 'socket.error'>: [Errno 13] Permission denied)",),)

FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 

           to retry, use: --limit @/home/louis/playbook.retry

localhost                  : ok=1    changed=0    unreachable=0    failed=1   

[James Cammarata]

Hi Louis, it looks like you're running your playbook from a user account that does not have access to the docker socket file. You should run the playbook using the sudo: or su: options to switch to a user that does have permission, or configure docker to allow your current user to connect using the file socket shown in the error.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/32b01b4f-7365-44c1-99ac-caf1d6a12cb6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[louis gueye]

Hi James,

Thank you for your insight.

Actually I could not use any ansible property/directive in the playbook to run it successfully.

I had to run the whole ansible command with sudo... Which is not the best option I guess.

In addition 2 strange things occur when I run this playbook:

- the wait_for directive hangs indefinitely so I had to comment it. 

- I was expecting a running container so in order to check the container status I listed containers (sudo docker ps -a): my container is there, created but not running. (No wonder why the wait_for directive hangs)

My next question to the community (if you don't mind helping me) is how do I make sure my container is created and listening to port 22?

I tried "state=present" and "state=running" my container is still down off.

Thank you for your help.

[Toshio Kuratomi]

On Wed, Sep 17, 2014 at 3:21 PM, louis gueye <louis...@gmail.com> wrote:

Hi James,

Thank you for your insight.

Actually I could not use any ansible property/directive in the playbook to run it successfully.

I had to run the whole ansible command with sudo... Which is not the best option I guess.

ansible is typically used for system management.  So if you are doing something that needs more privileges  you'll need to use it with an account that has sufficient privileges to perform those actions[1].  For docker, you can configure your docker server such that a normal user account can connect to it or you can configure it so that only an account with specific privileges (such as root) can do so.  Ansible does not allow you to get around your operating systems system of privileges, it simply makes it easier to do things that you already have permission to do.
 

[1]: One note here, ansible has facilities that allow you to run it as a normal user and switch to another user from inside ansible itself (using sudo or su).  This isn't much different than running ansible as root when you're only talking to localhost but it can make a big difference when you're using ansible to manage many remote machines.

In addition 2 strange things occur when I run this playbook:

- the wait_for directive hangs indefinitely so I had to comment it. 

- I was expecting a running container so in order to check the container status I listed containers (sudo docker ps -a): my container is there, created but not running. (No wonder why the wait_for directive hangs)

My next question to the community (if you don't mind helping me) is how do I make sure my container is created and listening to port 22?

I tried "state=present" and "state=running" my container is still down off.

This is actually a docker question.  Many docker containers including the ubuntu ones from docker hub aren't configured like a virtual machine that you start up and it then runs constantly waiting for you to login and give it commands.  Instead, they're designed for you to give it a single command which it then executes in the containers environment and then the container exits after .  That command could be a one-off that runs briefly, does one thing and then exits or it could be a long running process that you can interact with as you would a service running on a normal machine.  If you want a container that acts like a virtual machine running sshd that you can connect to you likely need to either build a container that starts up sshd as its command or look for a different container on docker hub that is already built for that purpose.

-Toshio

[louis gueye]

Hi Toshio,

I'm so grateful that you took the time provide such a clear explanation.

On top of that I now have a better understanding of docker.

Thank you so much.

Regards,

Louis